Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/macadmins/escrow-buddy
A macOS authorization plugin that helps MDM administrators ensure valid FileVault keys are escrowed for all their Macs.
https://github.com/macadmins/escrow-buddy
authorization-plugin filevault full-disk-encryption loginwindow macadmin macos mdm personal-recovery-key
Last synced: 27 days ago
JSON representation
A macOS authorization plugin that helps MDM administrators ensure valid FileVault keys are escrowed for all their Macs.
- Host: GitHub
- URL: https://github.com/macadmins/escrow-buddy
- Owner: macadmins
- License: apache-2.0
- Created: 2023-06-07T14:16:23.000Z (over 1 year ago)
- Default Branch: main
- Last Pushed: 2024-08-25T15:19:22.000Z (4 months ago)
- Last Synced: 2024-08-25T16:36:12.422Z (4 months ago)
- Topics: authorization-plugin, filevault, full-disk-encryption, loginwindow, macadmin, macos, mdm, personal-recovery-key
- Language: Objective-C
- Homepage:
- Size: 3.37 MB
- Stars: 189
- Watchers: 14
- Forks: 9
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- License: LICENSE
Awesome Lists containing this project
- awesome-macadmin-tools - https://github.com/macadmins/escrow-buddy
README
# ![Escrow Buddy](images/escrow_buddy_logo_300px.png)
**Escrow Buddy is a macOS authorization plugin that allows MDM administrators to generate and escrow new FileVault personal recovery keys on Macs that lack a valid escrowed key in MDM.**
For more context around the problem of missing FileVault keys in MDM and Escrow Buddy's origin, see [this post on the Netflix Tech Blog](https://netflixtechblog.com/escrow-buddy-an-open-source-tool-from-netflix-for-remediation-of-missing-filevault-keys-in-mdm-815aef5107cd).
If you've successfully deployed Escrow Buddy, we'd love to know the details in [this brief survey](https://forms.gle/cRY3t2cRwZMQtGbb8). Thank you!
---
## Requirements
- Your managed Macs must:
- be enrolled in an MDM
- have macOS Mojave 10.14.4 or newer
- Your MDM must:
- support FileVault recovery key escrow
- deploy a configuration profile with the [FDERecoveryKeyEscrow](https://developer.apple.com/documentation/devicemanagement/fderecoverykeyescrow) payload
- have the ability to install packages and run shell scripts**NOTE**: Escrow Buddy only works with MDM-based escrow solutions, not escrow servers like Crypt Server or Cauliflower Vest.
---
## Deployment
1. **Ensure you have an escrow profile scoped to all Macs** with the [FDERecoveryKeyEscrow](https://developer.apple.com/documentation/devicemanagement/fderecoverykeyescrow) payload.
This will ensure that any newly generated FileVault recovery key, no matter how it's generated, will be escrowed to your MDM server.
1. Use your MDM to **install the [latest Escrow Buddy installer package](https://github.com/macadmins/escrow-buddy/releases/latest)** on your Macs.
You can choose to install on all Macs or limit to those that need FileVault recovery keys escrowed.
1. Use your MDM to **run this command** (in root context) on Macs that do not have a valid FileVault recovery key escrowed:
defaults write /Library/Preferences/com.netflix.Escrow-Buddy.plist GenerateNewKey -bool true
It is recommended to have this script run dynamically on Macs that need it using your MDM's dynamic scoping feature. See the [Examples](https://github.com/macadmins/escrow-buddy/wiki/Examples) page for examples.
That's it! The next time a FileVault-authorized user logs in to the Mac, a new FileVault personal recovery key will be generated and escrowed to your MDM.
---
## Support
See the wiki for [Frequently Asked Questions](https://github.com/macadmins/escrow-buddy/wiki/FAQ) and [Troubleshooting](https://github.com/macadmins/escrow-buddy/wiki/Troubleshooting) resources.
If you've read those pages and are still having problems, please search our [issues](https://github.com/macadmins/escrow-buddy/issues) (both open and closed) to see whether your issue has already been addressed there. If not, you can [open an issue](https://github.com/macadmins/escrow-buddy/issues/new?template=default.md).
For a faster and more focused response, be sure to provide the following in your issue:
- Log output (see [wiki](https://github.com/macadmins/escrow-buddy/wiki/FAQ#how-do-i-view-escrow-buddys-logs) for information on retrieving logs)
- macOS version you're deploying to
- MDM (name and version) you're using
- What troubleshooting steps you've already taken---
## Contribution
Contributions are welcome! To contribute, [create a fork](https://github.com/macadmins/escrow-buddy/fork) of this repository, commit and push changes to a branch of your fork, and then submit a [pull request](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request). Your changes will be reviewed by a project maintainer.
Contributions don't have to be code; we appreciate any help maintaining our [wiki](https://github.com/macadmins/escrow-buddy/wiki) or answering [issues](https://github.com/macadmins/escrow-buddy/issues).
Also, if you've successfully deployed Escrow Buddy at your organization, please consider submitting [our brief survey](https://forms.gle/cRY3t2cRwZMQtGbb8) for measuring the project's community impact.
---
## Credits
Escrow Buddy was created by the **Netflix Client Systems Engineering** team.
The [Crypt](https://github.com/grahamgilbert/crypt) project was a major inspiration in the creation of this tool — huge thanks to Graham, Wes, and the Crypt team! Jeremy Baker and Tom Burgin's 2015 PSU MacAdmins [session](https://www.youtube.com/watch?v=tcmql5byA_I) on authorization plugins was also a valuable resource.
Escrow Buddy is licensed under the [Apache License, version 2.0](https://www.apache.org/licenses/LICENSE-2.0).